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Abstract 


There are nowdays various e-business applications, such as sealed- 
bid auctions and electronic voting, that require time-delayed decryp- 
tion of encrypted data. The literature offers at least three main cate- 
gories of protocols that provide such timed-release encryption (TRE). 
They rely either on forcing the recipient of a message to solve some 
time-consuming, non-paralellizable problem before being able to de- 
crypt, or on the use of a trusted entity responsible for providing a 
piece of information which is necessary for decryption. This article dis- 
cusses the mathematical background required for implementing TRE 
methods including factorization, quadratic residues and the bilinear 
Diffie-Hellman problems, along with a sample protocol for each of the 
approaches studied here. 


2000 Mathematics Subject Classification: 11Y16, 14G50, 11D09, 
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1 Introduction 


The essence of timed-release encryption (proposed by May in [16]) is to 
encrypt a message so that no one, including the designated recipient(s), will 
be able to decrypt it before a specified time instant. 

Various TRE solutions have been proposed in the literature. As a first 
cut,[16] descibed a basic mechanism in which a third party has the role of 
an escrow agent, storing the encrypted messages and transmit them to the 
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recipient on the specified by the sender time instant. Since then, a num- 
ber of new innovative mechanisms appeared, each with its own advanages 
and disadvantages. In 1996, [19] suggested the method of Time Lock Puz- 
zles(TLPs), which was based on a non-parallelizable problem that could be 
easily constructed, but required a minimum amount of time to solve. In 
the the same article, it is also described how any assymetric encryption 
scheme could be easily modified to support TRE: A third entity, called a 
Key Generation Center(KGC), produces a key pair for each required time 
instant and publishes the public part of these keys right away, so that en- 
cryption is possible. Then, the KGC broadcasts each private (decryption) 
key at the correpsonding time instant. The above techniques were improved 
later in [15, 5]. Although additional aprroaches were also proposed [9], the 
breakthrough in the field of TRE came after the introduction of identity 
based encryption [3]. Beggining in 2003, [17], various protocols were pro- 
posed, based on the quadratic residue assumption, and on the properties of 
bilinear pairings on elliptic curve groups. 


2 Time-Lock Puzzles 


All existing CPU-based TLP approaches are based on the same problem: 
Given a large composite number, n, and integers t < n and a with gcd(a,n) = 
1, compute the secret value (akin to a decryption key) 


b= a2 (mod n). (1) 


It is known that, without factoring n, S can be computed in ¢ squarings 
modulo n [15]. We remark that S can be easily computed by the sender, as 
she constructs n, and thus knows ¢(n) (Euler’s phi function of n), while it 
has been proven that this problem cannot be parallelized. 

The following is a sample TLP-based protocol from [19]. We assume 
that we have a sender who wants to encrypt a message M via a time-lock 
puzzle, to be decrypted in at least T’ seconds. The steps that he is going to 
execute are: 


1. Generate a large composite number, n = pq, where p and q are ran- 
domly chosen secret primes. 


2. Compute ¢(n) = (p— 1)(q—1). 


3. Compute t = T'S, where S' is the number of squarings modulo n per 
second that can be performed by the receiver. 
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4. Generate a random key K for a conventional cryptosystem, such as 
AES. 


5. Encrypt M with key K and encryption algorithm AES to obtain the 
ciphertext Cyy = AES(K,M). 


6. Choose a random a modulo n (with 1 < a < n) and encrypt K as 
Ce =K+a™ (mod n) - in order to increase the efficiency, one can 
initially compute e = 2‘(mod ¢(n)) and b = a®(mod n). 


7. Produce as output the time-lock puzzle (n,a,t,CkK,Cm), and erase 
any other variables (such as p,q) created during this computation. 


The only way for the receiver to decrypt the message is to start with a and 
perform ¢ squarings sequentially. 

As we saw above, the TLP approach puts immense computational over- 
head on the receiver, who must perform non-stop non-parallelizable compu- 
tation in order to retrieve a time-encrypted message. This could be imprac- 
tical (e.g., it would tie up the received’s CPU) if the message is to be read 
sufficiently far into the future. Moreover, the total time needed to solve 
a puzzle depends on the receiver’s CPU speed and on the time at which 
the decryption process is started, making it difficult to accurately predict 
exactly when the message will be “released”. 

Existing TLP approaches include [19], [15], and the timed-release scheme 
for standard digital signatures in [11]. 


3 Passive-Server TRE based on Quadratic Residues 


When [3] introduced the idea of identity-based encryption(IBE), they ref- 
ered to TRE as one of its possible applications. [17] implemented that idea, 
but did so using a different mechanism than that of [3]. In fact, at that time, 
there were two possible solutions for constructing IBE schemes, one based 
on bilinear pairings and another one based on quadratic residues [7]. In [17], 
the authors chose the second approach creating the first server-passive TRE 
scheme. In their protocol, the sender does not communicate with the KGC 
(or time-server) at all. Thus, the KGC’s sole responsibility is to periodically 
publish a piece of time-embedded information, also called a ‘trapdoor’, that 
is required for the decryption of messages. Each trapdoor corresponds to 
a unique time instant and is to be used by any user that wants to decrypt 
a message at that time. We proceed to describe in detail how this system 
works. 
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3.1 The QR-TRE approach 


There are three entities involved in the scheme of [17], a sender (S), a re- 
ceiver (R) and the KGC. 


QR-TRE Initialization (run by the KGC) 


1. Choose two different prime numbers p and q that are both congruent 
to 3 mod 4, so p= 3 mod 4 and gq = 3 mod 4. 


2. Compute the public modulus as N = pq. 
3. p, gq are kept secret 


4. N is published and is known to R and $ 


QR-TRE Public IBE Key Construction (run by anyone) 


This algorithm is used to create the IBE public key that corresponds 
to the time information and works as follows: A hash function that maps 
a string into an integer mod N value applied to the string representing the 
decryption time. The only restriction is that for the hash value, say h, 
the Jacobi symbol (4) is +1. For instance, if the disclosure time is to 
be on January, 1%? 2009, at 12:00 noon (GMT), the hash output is h = 
hash(GMT200901011200). 

Typically, in order to ensure that the Jacobi symbol (4) is +1, multiple 
applications of the hash function can be used, in a stuctured way, to pro- 
duce a set of candidates values for h, stopping when the required result is 
achieved. We note that the Jacobi symbol can be easily calculated without 
the knowledge of the factorization of N [8]. Moreover, because (4) is +1, 
(4) = (“), and becasue (=) = (=) = —1, either h or —h will be quadratic 


q 
residues modulo p and gq. For additional details see [7]. 





QR-TRE Trapdoor Generator (run by the KGC) 


1. Compute h = hash(GMT200901011200) using the QR-TRE Public 
IBE Key Construction algorithm. 


2. Compute the trapdoor t = sqrt(h) mod N. Only the KGC can com- 
pute this value, by calculating t = pXt—era) mod N. Such at will 
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indeed satisfy either t? = h mod N or t? = —h mod N, depending 
upon which of t or —t is a square modulo N. 


3. Publish ¢ at decryption time. 


QR-TRE Encryption (run by sender) 


Suppose that the sender has knowledge of the public value N, and se- 
lects a time-instant, say GMT200901011200, to send a single bit, m, to the 
receiver. 


1. Let r= 2m—1, thus r= —-1lifm=Oandr=1ifm=1. 
2. Choose a random, k € 0...N — 1, such that the Jacobi symbol (+) =i 


3. Compute h = hash(GMT200901011200) using the QR-TRE Public 
IBE Key Construction algorithm. 


4. Compute s = (k+h/k) mod N and send it to the receiver. 


QR-TRE Decryption (run by receiver) 


The receiver knows the public value N and the encrypted message s. 

1. At the appointed time he obtains the trapdoor t from the KGC. 
= : +2t 

2. Computes m =Jacobi symbol (24), 


3. msg = (m+ 1)/2, i.e, msg = 0 if m = —1, otherwhise msg = 1. 


4 Modern TRE schemes based on Bilinear Pair- 
ings 


Since the early work on trusted-server based TRE schemes, there have been 
many efforts in order to minimize server-user interaction, as well as to ensure 
scalability and user-anonymity. After the introduction of IBE, several new 
and innovative TRE techniques appeared in the literature [1, 4, 10, 6, 18], 
making use of elliptic curve cryptography (ECC) and the efficient imple- 
mentation of bilinear pairings on ECs. 

All modern pairing-based TRE schemes require an abelian, additive fi- 
nite group G,, of prime order q, and an abelian multiplicative cyclic group 
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of the same order, Go. We will let P denote the generator of G1; Hy, will be 
a secure hash function. Finally, €: G, x G1 — Gp» will be a bilinear pairing. 


Definition 1 (Bilinear Pairings) 

Suppose Gy, is an additive cyclic group generated by P, whose order is a 
prime q, and Go is a multiplicative cyclic group of the same order. A map 
é : G, x G, — G is called a bilinear mapping if it satisfies the following 
properties: 


1. Bilinear: €(aP, bQ) = €(abP, Q) = €(P, abQ) = e(P,Q)® for all P,Q € 
G, anda,be Z, 


2. Non-degenerate: there exists P,Q € G, such that é(P,Q) 4 G1 


3. Efficient: there exists an efficient algorithm to compute the bilinear 
map 


For our purposes, G, will be the group of points on an elliptic curve, and 
Gp will be a multiplicative subgroup over a finite field. Currently, the Weil, 
Tate, Ate and nr pairings can be used to construct an admissible bilinear 
pairing. Their implementation can be found in [14]. 


Definition 2 (Discrete Logarithm Problem) 
Given Q, R € G; find an integer a € Z) such that R = aQ. 


Definition 3 (Decisional Diffie-Hellman Problem) 
Given Q € G , aQ, b@ and cQ@ for some unknowns a,b,c € Z; tell whether 
c = ab(modq). 


Definition 4 (Computational Diffie-Hellman Problem) 
Given Q € G, , aQ, bQ for some unknowns a,b € Zj , compute abQ.) 


Definition 5 (Bilinear Diffie-Hellman Problem) Given Q € G, , aQ, 
bQ and cQ for some unknowns a,b,c € Zj , compute €(Q, Qe: 


4.1 A Modern Pairing-Based TRE Scheme 


To illustrate how a Pairing-Based TRE scheme works, we review the protocol 
proposed by [12] choosen mainly because of its simplicity. Most, if not all 
anonymous TRE schemes with pre-open capability are defined by a set of 
polynomial-time algorithms similar to that described below. 
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We will denote time by ¢t € 0,17, 7 € N where ¢ indicates the 7-bit string 
representation of a specific time instant. To send a message, m, that will be 
decrypted at time t, the following protocol is to be executed: 


PB-TRE Setup (run by the time-server) 


Given a security parameter k, 


1. Output a k-bit prime number gq, two groups Gj, Go of order q, an 
admissible bilinear map e : G, x G, + Gp» and an arbitrary generator 
PEG 


2. Choose the following cryptographic hash functions: H, : {0,1}7 + Gi, 
Hy: G5 + {0,1}” 


3. Generate the time-server’s private key s € “7% and the correspond- 
ing public key S = sP € Gj} 


4. Choose the message space to be m = {0,1}” and the ciphertext space 
to be C = G, x {0,1}"*7 


The public parameters are params := {k, q, Gi, Go, P, S, é, Mi, Ho, 
et; my; C}: 


PB-TRE ReleaseTrapdoor (run by the time-server) 


Given a time instant t € {0,1}7 and the server’s private key s € Zi, it 
returns the time-specific trapdoor skp = sT € Gj, where T = H(t) € Gj. 
We note that the trapdoor is in fact a time-server’s short signature (as this 
proposed in [2]) on t, and is inherently self-authenticating. Thus, there is 
no need for an additional server signature: a user can simply check whether 


? 


&(S,T)=e(P, skp). 
PB-TRE KeyGen (run by the receivers) 


Given params, choose a private key b € Zi and produce receiver’s public 
key B = bP € G. 
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PB-TRE Encryption (run by the senders) 


To encrypt m € {0,1}" using the time information t € {0,1}7, the 
receiver’s public key B and the server’s public key S, 


1. Choose r € A 7 
2. Compute T = Hj(t) € Gj, and Q =rT € Gj 
3. Compute K = é(S,Q) = é(sP,rT) = €(P,T)” € G5. 


4. Compute c) = rB = rbP € Gj and co = m @ Ho(K) € {0,1}”, where 
© denotes the XOR function. The ciphertext is C := (c1, c2,t). 


PB-TRE Decryption (run by the receivers) 


Given C' := (c1,c2,t), the trapdoor skp and his private key b, 


1. Compute R = b-'c, = b-!brP = rP. R can also be pre-computed 
(before the release time), 


2. The session key is K = €(R, skp) = €(rP, sT) = €(P,T)"* € G5. 
3. The message is m = H2(K) © co. 


This protocol does not allow for pre-opening. If pre-opening is needed (a 
protocol which supports this function is described in [13]) then the sender 
must be equipped with an additional algorithm, which can produce a “re- 
lease key”. The latter acts as a secondary trapdoor and permits the receiver 
to decrypt without waiting (see [13] for additional discussion). 


PB-TRE GenPreOpenKey (run by the sender of a message m) 


Using a randomly-chosen secret value v to generate a release key and a 
release time t, output the release key, r,. 
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